Thursday, September 29, 2016

Mozilla pushes to drop Certificates with SHA-1 based Signature Algorithms

A lot of secure websites are using certificates based on a
hash algorithm called SHA-1.

Integrity of Certificates
with SHA-1 are phased out

To any website, the veracity of this algorithm is essential in securing the website 100% cause security holes in these algorithms can cause tremendous problems where cyber attackers can obtain fraudulent certificates.

Mozilla and other browser vendors are now pushing to phase
out the SHA-1 hash algorithm. Why?

This algorithm is in the market for twenty years but in the
last few years successful attacks targeting properties of SHA-1 showed that it
is more than only back-dated. In a report published by Mozilla is a list of
various violations that go against CA/Browser Forum’s baseline
requirements.

After a deep investigation of WoSign and StartCom, besides the
back-dating of SHA-1 certs, WoSign has been accused of miss-issuing
certificates for GitHub to a customer, where arbitrary domain names have been
included in certs without prior validation.

“Mozilla’s CA team
has lost confidence in the ability of WoSign/StartCom to faithfully and
competently discharge the functions of a CA,” stated in the report by Mozilla. “Therefore we propose that, starting on a date
to be determined in the near future, Mozilla products will no longer trust
newly-issued certificates issued by either of these two CA brands.” – Mozilla report.

If customers have no faith in the validity of CA certificate
system, the Internet will experience big problems.

Having trustful CA certificate system is essential to keep the
Internet up and running.

“Mozilla believes
that continued public trust in the correct working of the CA certificate system
is vital to the health of the Internet, and we will not hesitate to take steps
such as those outlined above to maintain that public trust,” Mozilla said.

Even previously SHA-1 has been considered as a weak hash
therefore Mozilla team advices Certification Authorities (CAs) and Web site
administrators to upgrade their certificates that contain hash functions that
are much stronger and reliable such as: SHA-256, SHA-384, or SHA-512.

“We consider the following algorithms and key sizes to be
acceptable and supported in Mozilla products: SHA-1 (until a practical
collision attack against SHA-1 certificates is imminent) …” NIST Guidance
recommended that SHA-1 certificates should not be trusted beyond 2014. However,
there are still many Web sites that are using SSL certificates with SHA-1 based
signatures, so we agree with the positions of Microsoft and Google that SHA-1
certificates should not be issued after January 1, 2016, or trusted after
January 1, 2017.”- Mozilla’s CA Certificate Maintenance Policy section

Therefore, stop everything you do and go check your SSL and
Code Signing certificates and if they use the SHA-1 hash algorithm, replace it immediately
and update it to a stronger one.

Moreover, in order to not experience any problems in the future
install SSL security tool and stay worry free.